The Sad State of Passwords Part 2: oAuth is ohh-some!

 

Part 1 can be found here

This is not the end all be all of security advice.  This is general information that everyone should implement.  I understand that I’m omitting a lot of information, but the goal is getting more people to start thinking with security in mind.

Now that you have changed all your passwords, you have found yourself reliant to your password manager.  You also probably hate me because your password manager doesn’t integrate with your phone, or your non browser apps.  Logging into a site via your phone with the password E#7xYAzUh*^GvgVx is almost impossible.  Well, you are not the first person to complain about this.  Part two focuses on how to dramatically ease the burden of all these passwords.    Maybe I should have started with this, but what you will see is that oAuth is your gatekeeper.  If your gatekeeper is weak, then your failure is exponentiated.

One major tenet of security is to obscure yourself. The more websites you have credentials to, the higher probability you have of something being compromised.  With  hackers being so smart, and security being secondary (and hard), many websites just overlook the problem. How many times have you forgotten your password, and when you requested it, your password was sent back to you in plain text?  A plain text passwords just means that if someone accesses the database by (il)legal means, your password is compromised.  Password cracking has iterated faster than the security to secure it.  LinkedIn was using strong security back when they implemented the database.  In 2006 SHA-1 (the encryption algorithm used), was the strongest.  Now SHA-1 is trivial to crack.  Nobody ever updated the database.

Security is an added cost without any realized added benefit.  

As a user, you have to trust the website.  It is almost impossible for me to trust some random website.  Sure it looks beautiful, but it isn’t that hard to recreate.  Just because a site looks professionally done, doesn’t mean it is.  Logging in also means your information is in the hands of someone else (whom you don’t know).  If you could authenticate using someone you trust, wouldn’t you do it?  If you can avoid typing your information, but yet post and comment using information from another site, wouldn’t you do it?  This is where oAuth comes in.

oAuth stands for open authentication, and it is designed to use a mainstream authentication platform to either create a login, or use those credentials to allow website functionality.  So instead of recreating a username, and having to inputting information again, the website calls your trusted service, and asks for that information.  This is all done without the website having any information.

I can’t emphasize enough how great this is, for both, convenience and security.  How many times did you want to comment on a website, but didn’t feel like creating a whole new login?  Gawker is an example that comes to mind.  They have been through multiple authentication types, first through their own in-house system, but most recently moved to oAuth.  In fact after their passwords got stolen, they went to oAuth.

So what does oAuth look like?

Once you click login, you will be asked how do you want to do it.  Just like the above picture, you will be given a choice.  I usually stick to the big three, Google, Facebook, or Twitter.  There is no real right answer, but I usually choose the ones that integrate the best, (more on that later).  After you choose your service a pop-up (on the left) taking you that service (in this case Twitter).  Taking you out of the original site and bringing you to the oAuth site is IMPORTANT.  That prevents leakage of information.  Always check to make sure that pop-up is the site that you are authenticating against.  After authenticating, with LastPass and your obnoxiously long random generated password, that pop-up will disappear, and you should be brought back to the original site.

Sites that do more than just allow commenting, now may need you to input additional information specific to that account.

oAuth on a Smart Phone:

Imagine typing and remembering all those pseudo-random passwords on your smart phone.  It is next to impossible.  This is why people don’t change passwords.  In my case, I’ll have to input new passwords on my phone, tablet, iPad, and all my computers.  So while LastPass makes it easy, on a smartphone it is not.  If you can oAuth yourself, changing your password on that site (if you have one) becomes simple.  A super strong password will get you in if needed, but you can always oAuth.

What Happens in a Password Leak:

This is where oAuth shines.  If a password database gets out, you are safe because you didn’t give any information to that site.  Your main information from Facebook or Twitter is however not jeopardized.

If your oAuth site (Twitter/Facebook/Google) has a password leak, all you have to do is change that site’s password.  The more important problem is that if those sites get compromised, you have a REAL problem.  If it is just your password, change the password.  If the password database gets out, follow those directions.

(Advanced) Permissions and What to Watch For:

Note what is listed in green and red in the above photo.  In green it says:  ”This application WILL BE ABLE TO:” 1) Read tweets in your timeline, and 2) See who you follow.  In red it says: “This application WILL NOT be able to: “1) Follow new people, 2) Update your profile, 3) Post Tweets for you, 4) Access your direct messages, and 5) See your Twitter password.  At the bottom it says how you can revoke access to the application if it violates your trust.  oAuth requires notification to the user of what permissions it will give to the website.  Be smart about what a website needs. It is very simple to reject an app if it violates your trust.

In the Facebook above case, it needs basic information, but wants to post on my behalf.  Since I don’t mind this app posting on my behalf I leave it.  When authenticating with Facebook, you are given a choice.

I mentioned before that I regularly choose between Twitter, Facebook, and Google for my oAuth.  In fact, I generally authenticate against both Twitter and Facebook if offered.  Then in settings I make sure I do not allow it to auto post. Facebook is by far the most ubiquitous.  Twitter has the least amount of information (and usually the easiest).  Google I usually authenticate if it uses the Google services.  Generally, the least damaging service is the one that I want to use.

Every once in a while, or when an errant post gets published, I check what sites I have authorized.  MyPermissions.org is a one stop site that will get all your permissions, once you oAuth with them.

Remember, this is not an insurance policy, but rather another method to reduce the amount of sites that have your personal information.  These sites are well-known and trusted.
Part 3: Use 2 Factor Authentication

One thought on “The Sad State of Passwords Part 2: oAuth is ohh-some!

Leave a Reply